Caddyv2 Caddyfile TLS configuration

refaelf · September 9, 2021, 8:56am

1. Caddy version (`caddy version`):

2.4.3

2. How I run Caddy:

complied using xcaddy

a. System environment:

AWS EC2 rhel fedora

b. Command:

sudo ./caddyx run

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
        servers :443 {
                listener_wrappers {
                        proxy_protocol {
                                timeout 5s
                                allow 0.0.0.0/0
                        }
                        tls my_email@example.com {
                                ca https://acme.zerossl.com/v2/DV90
                                protocols tls1.2 tls1.2
                        }
                }
        }

        servers :80 {
                listener_wrappers {
                        proxy_protocol {
                                timeout 5s
                                allow 0.0.0.0/0
                        }
                }
        }
}

example.com:80 {
        log
        file_server * {
                root /home/http
        }
}

example.com:443 {
        log
        file_server * {
                root /home/http
        }
}

3. The problem I’m having:

I’ve compiled my xcaddy with the caddy2-proxyprotocol library GitHub - mastercactapus/caddy2-proxyprotocol and it works well.

My problem is that trying to set a different ca\issuer, of zeroSSL, doesn’t work, meaning letsencrypt is tried first and only if it fails (rate-limit for example) then zeroSSL is used. And also setting the protocols doesn’t affect anything and TLS1.3 is still supported.

What am I doing wrong? I want to to have 2 listeners of the same domain, on HTTP (80) and HTTPS (443). This is my Caddyfile

4. Error messages and/or full log output:

5. What I already tried:

When trying to set the tls setting this way it still doesn’t work

tls {
                                issuer zerossl
                                protocols tls1.2 tls1.2
}

6. Links to relevant resources:

francislavoie · September 9, 2021, 4:59pm

You’re getting two different tls configuration locations confused.

In listener wrappers, tls is just a placeholder entry to make sure the handling of proxy_protocol happens before TLS handling. You can’t actually configure TLS options there.

I realize that you probably clicked on tls in the docs here Global options (Caddyfile) — Caddy Documentation which probably made you think you could do that.

For configuring TLS options, you need to use either these other TLS global options or the tls directive inside of site blocks.

See how the Caddyfile is structured in the docs below, i.e. “directives” are things that go inside site blocks, not interchangeable with global options.

What are you actually trying to do though? Do you actually have something in front of Caddy that uses the PROXY protocol? Why do you need to change protocols to remove TLS 1.3? That seems like a bad idea, TLS versions are negotiated automatically between the client and server. Do you really need to serve content in both HTTP and HTTPS? Why not just redirect HTTP to HTTPS (Caddy’s default behaviour)?

refaelf · September 19, 2021, 12:45am

Thanks a lot! And sorry for my late reply.
Your assumption is correct, I did understand this thing wrong because of the links you’ve posted.

Yes I do have a load balancer that uses the PROXY protocol.

I prefer both HTTP and HTTPS due to network-bandwidth-saving reasons.

And actually I’d like to change protocols in order to enable TLS1.0 and TLS1.1, since my website doesn’t contain\transfer sensitive data and the more old protocols and ciphers I support, the more old platform are able to access the website. For instance according to ssllabs server test, currently caddy2 is unable to support the following platforms:
Safari 6 / iOS 6.0.1
Safari 7 / iOS 7.1
Safari 7 / OS X 10.9
Safari 8 / iOS 8.4
Safari 8 / OS X 10.10
Because the handshake fails.

I’ve tried undoing this change: tls: Remove support for TLS 1.0 and TLS 1.1 · caddyserver/caddy@2cb01d4 · GitHub which is mentioned here: How to enable TLS 1.1 inside a Caddyfile with Caddy 2 - Stack Overflow and recompile, but it doesn’t seem to affect - tls1.0 and tls1.1 still weren’t available.
Is there any other place that prevents me from enabling tls1.0 and tls1.1? Like some other code that checks the Caddyfile and ignores old protocols and ciphers?

refaelf · September 21, 2021, 1:43pm

If anyone runs into the same issue: not only the values.go file which is mentioned here tls: Remove support for TLS 1.0 and TLS 1.1 · caddyserver/caddy@2cb01d4 · GitHub should be edited, but also MinVersion occurrences in this file: modules/caddytls/connpolicy.go

And for wider coverage of old platforms, obviously the more ciphers the better, but don’t forget that their order in Caddyfile matters, so ciphers which are old and http2-blacklisted should be written last, so the server will attempt using them as last resort, on old browsers, and not make new browser reject the handshake.

So if you use (the default) key_type p256

These got me a very wide coverage:
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

francislavoie · September 21, 2021, 2:29pm

The order does not matter if you build with Go 1.17:

system · October 9, 2021, 8:57am

This topic was automatically closed after 30 days. New replies are no longer allowed.